CVE-2024-43398
published 2024-08-22CVE-2024-43398: REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local…
PriorityP430medium5.9CVSS 3.1
AVNACHPRNUINSUCNINAH
EPSS
1.21%
64.5th percentile
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_sequoia | — | — |
| apple | macos_sonoma | — | — |
| apple | macos_tahoe | — | — |
| debian | ruby2.7 | < ruby2.7 2.7.4-1+deb11u3 (bullseye) | ruby2.7 2.7.4-1+deb11u3 (bullseye) |
| debian | ruby3.1 | < ruby2.7 2.7.4-1+deb11u3 (bullseye) | ruby2.7 2.7.4-1+deb11u3 (bullseye) |
| debian | ruby3.3 | < ruby2.7 2.7.4-1+deb11u3 (bullseye) | ruby2.7 2.7.4-1+deb11u3 (bullseye) |
| msrc | azl3_ruby_3.3.3-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_ruby_3.3.5-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_rubygem-rexml_3.3.4-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_rubygem-rexml_3.3.9-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_ruby_3.1.4-9_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_rubygem-rexml_3.2.9-1_on_cbl_mariner_2.0 | — | — |
| ruby-lang | rexml | < 3.3.6 | 3.3.6 |
| ruby | rexml | < 3.3.6 | 3.3.6 |
| ruby | rexml | >= 0 < 3.3.6 | 3.3.6 |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
osv5.9MEDIUM
vendor_debian5.9MEDIUM
vendor_msrc5.9MEDIUM
vendor_redhat5.9MEDIUM
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2024-43398: macOS Tahoe 26.1
vendor_apple·2025-11-03·CVSS 5.9
CVE-2024-43398 [MEDIUM] CVE-2024-43398: macOS Tahoe 26.1
Apple Security Update: About the security content of macOS Tahoe 26.1
Product: macOS Tahoe
Version: 26.1
CVE: CVE-2024-43398
Component: CVE-2024-43398
Apple
CVE-2024-43398: macOS Sonoma 14.8.2
vendor_apple·2025-11-03·CVSS 5.9
CVE-2024-43398 [MEDIUM] CVE-2024-43398: macOS Sonoma 14.8.2
Apple Security Update: About the security content of macOS Sonoma 14.8.2
Product: macOS Sonoma
Version: 14.8.2
CVE: CVE-2024-43398
Component: CVE-2024-43398
Apple
CVE-2024-43398: macOS Sequoia 15.7.2
vendor_apple·2025-11-03·CVSS 5.9
CVE-2024-43398 [MEDIUM] CVE-2024-43398: macOS Sequoia 15.7.2
Apple Security Update: About the security content of macOS Sequoia 15.7.2
Product: macOS Sequoia
Version: 15.7.2
CVE: CVE-2024-43398
Component: CVE-2024-43398
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2025-04-07·CVSS 5.3
CVE-2024-35176 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a
denial of service. This issue only affected in Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, and Ubuntu 24.10. (CVE-2024-35176, CVE-2024-39908,
CVE-2024-41123, CVE-2024-43398)
It was discovered that Ruby incorrectly handled expanding ranges in the
net-imap response parser. If a user or automated system were tricked into
connecting to a malicious IMAP server, a remote attacker could possibly use
this issue to consume memory, leading to a denial of service. This issue
only affected Ubuntu 24.04 LTS, and
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2025-02-06
CVE-2024-43398 Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a
denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
rexml: DoS vulnerability in REXML
vendor_redhat·2024-08-22·CVSS 5.9
CVE-2024-43398 [MEDIUM] CWE-776 rexml: DoS vulnerability in REXML
rexml: DoS vulnerability in REXML
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.
A vulnerability was found in REXML RubyGems. This package is vulnerable to denial of service (DoS) when parsing a deep XML structure with the same local name attribute. This vulnerability only affects tree parser API like REXML::Document.new, other parser APIs such as stream pars
Microsoft
REXML denial of service vulnerability
vendor_msrc·2024-08-13·CVSS 5.9
CVE-2024-43398 [MEDIUM] CWE-776 REXML denial of service vulnerability
REXML denial of service vulnerability
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.c
Debian
CVE-2024-43398: ruby2.7 - REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerabi...
vendor_debian·2024·CVSS 5.9
CVE-2024-43398 [MEDIUM] CVE-2024-43398: ruby2.7 - REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerabi...
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.
Scope: local
bullseye: resolved (fixed in 2.7.4-1+deb11u3)
OSV
ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities
osv·2025-04-07·CVSS 5.3
CVE-2024-35176 [MEDIUM] ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities
ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a
denial of service. This issue only affected in Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, and Ubuntu 24.10. (CVE-2024-35176, CVE-2024-39908,
CVE-2024-41123, CVE-2024-43398)
It was discovered that Ruby incorrectly handled expanding ranges in the
net-imap response parser. If a user or automated system were tricked into
connecting to a malicious IMAP server, a remote attacker could possibly use
this issue to consume memory, leading to a denial of service. This issue
only affected Ubuntu 24.04 LTS, and Ubuntu 24.10. (CVE-2025-25186)
OSV
REXML denial of service vulnerability
osv·2024-08-22
CVE-2024-43398 [HIGH] REXML denial of service vulnerability
REXML denial of service vulnerability
### Impact
The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.
If you need to parse untrusted XMLs with tree parser API like `REXML::Document.new`, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.
### Patches
The REXML gem 3.3.6 or later include the patch to fix the vulnerability.
### Workarounds
Don't parse untrusted XMLs with tree parser API.
### References
* https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org
OSV
CVE-2024-43398: REXML is an XML toolkit for Ruby
osv·2024-08-22·CVSS 5.9
CVE-2024-43398 [MEDIUM] CVE-2024-43398: REXML is an XML toolkit for Ruby
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.
GHSA
REXML denial of service vulnerability
ghsa·2024-08-22
CVE-2024-43398 [HIGH] CWE-776 REXML denial of service vulnerability
REXML denial of service vulnerability
### Impact
The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.
If you need to parse untrusted XMLs with tree parser API like `REXML::Document.new`, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.
### Patches
The REXML gem 3.3.6 or later include the patch to fix the vulnerability.
### Workarounds
Don't parse untrusted XMLs with tree parser API.
### References
* https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org
No detection rules found.
No public exploits indexed.
2024-08-22
Published